29.4.1 DatabasesThis section contains brief descriptions of any new databases introduced in Samba-3. Please remember to backup your existing ${lock directory}/*tdb before upgrading to Samba-3. Samba will upgrade databases as they are opened (if necessary), but downgrading from 3.0 to 2.2 is an unsupported path . The new tdb files are described in Table 29.1. Table 29.1. TDB File Descriptions
29.4.2 Changes in BehaviorThe following issues are known changes in behavior between Samba-2.2 and Samba-3 that may affect certain installations of Samba.
29.4.3 Passdb Backends and AuthenticationThere have been a few new changes that Samba administrators should be aware of when moving to Samba-3.
Samba-3 also includes the possibility of setting up chains of authentication methods ( auth methods ) and account storage backends ( passdb backend ). Please refer to the smb.conf man page and Chapter 10, Account Information Databases , for details. While both parameters assume sane default values, it is likely that you will need to understand what the values actually mean in order to ensure Samba operates correctly. Certain functions of the smbpasswd tool have been split between the new smbpasswd utility, the net tool and the new pdbedit utility. See the respective man pages for details. 29.4.4 LDAPThis section outlines the new features effecting Samba/LDAP integration. 29.4.4.1 New SchemaA new object class (sambaSamAccount) has been introduced to replace the old sambaAccount. This change aids us in the renaming of attributes to prevent clashes with attributes from other vendors . There is a conversion script (examples/LDAP/convertSambaAccount) to modify an LDIF file to the new schema. Example: $ ldapsearch .... -b "ou=people,dc=..." > old.ldif $ convertSambaAccount <DOM SID> old.ldif new.ldif The <DOM SID> can be obtained by running $ net getlocalsid <DOMAINNAME> on the Samba PDC as root. The old sambaAccount schema may still be used by specifying the ldapsam_compat passdb backend. However, the sambaAccount and associated attributes have been moved to the historical section of the schema file and must be uncommented before use if needed. The Samba-2.2 object class declaration for a sambaAccount has not changed in the Samba-3 samba.schema file. Other new object classes and their uses include:
29.4.4.2 New Suffix for SearchingThe following new smb.conf parameters have been added to aid in directing certain LDAP queries when passdb backend = ldapsam://... has been specified.
If an ldap suffix is defined, it will be appended to all of the remaining sub-suffix parameters. In this case, the order of the suffix listings in smb.conf is important. Always place the ldap suffix first in the list. Due to a limitation in Samba's smb.conf parsing, you should not surround the DNs with quotation marks. 29.4.4.3 IdMap LDAP SupportSamba-3 supports an ldap backend for the idmap subsystem. The following options inform Samba that the idmap table should be stored on the directory server onterose in the "ou=idmap,dc=quenya,dc=org" partition. ... idmap backend = ldap:ldap://onterose/ ldap idmap suffix = ou=idmap,dc=quenya,dc=org idmap uid = 40000-50000 idmap gid = 40000-50000 This configuration allows Winbind installations on multiple servers to share a UID/GID number space, thus avoiding the interoperability problems with NFS that were present in Samba-2.2. |